CS 501 Home

Syllabus

Projects

Books and Readings

Assignments

Quizzes

Academic Integrity

About this site

Client

Ron DiNapoli, Advanced Technology and Architectures, CIT, rd29@cornell.edu.

Public Key Infrastructure

CIT's Advanced Technology and Architectures serves as a breeding ground for new ideas as they become mainstream. There are two project suggestions in the area of Public Key Infrastructure (PKI).

Hardware Token Based Password Management for MacOS X

The Aladdin eToken Pro is a USB hardware token used to store digital certificates and private keys for the purposes of performing digital signature and other PKI related operations. Aladdin has software for Windows which also allows the token to be used as a Password Management token. It stores passwords in an encrypted state and can recall them automatically when users visit certain web sites or other Windows based login systems. The aim of this project is to implement similar functionality on a MacOS X system utilizing Apple's Keychain technology.

This is a technically challenging project. Aladdin does not provide a way to integrate their hardware token with the Apple Keychain. The client has written some software that allows the PKI operations to happen through the Keychain interface, but is not 100% sure that the Keychain will be able to address the token as a password store separately or not. Alternatively, this functionality would need to be incorporated directly into code which he is writing to handle the PKI operations.

Online Registration Authority for PKI Certificates

One of the key problems in a PKI is striking the right balance of user convenience and levels of assurance when issuing digital certificates. A number of our other universities who have production PKIs in place utilize a web based request system that can be used to populate a hardware token (or the end user's software certificate store). This project involves designing a web based certificate request system for the Aladdin eToken USB token. It will involve allowing a certificate request to be generated from the end user's browser allowing the token to generate the private key. The request will also need to contain some yet-to-be-determined factors (such as the end user must authenticate with Kerberos), which increase our assurances that the request is bona fide. The system will store requests until they can be processed manually. The retrieval of such requests and issuance of corresponding digital certificates is not within the scope of this project. The system will need to allow a generated digital certificate to be entered back into this system such that the requesting party may retrieve the certificate online when ready.

This entire project may be too big to complete in one semester, but it is very doable, especially if the level of assurance compromise is simply that Kerberos authentication is required.